COLUMN

Security data lapses hamper researchers

By Dennis Fisher 01 Jul 2008 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

If there's one thing that the security community has never lacked, it is innovative and original research. From the earliest days of the industry, free thinkers at IBM, Bell Labs, MIT and labs and universities around the world have been working out creative solutions to some of the tougher problems in computing.

If the papers presented at the Workshop on Economics in Information Security at Dartmouth College last week are any indication, that spirit of innovation and curiosity is alive and well. However, much of this research is being severely hampered by the lack of accurate, unbiased data from credible sources on attacks, data breaches and other incidents. Any study or research project, no matter how well thought out, is only as good as the data on which it's based. And right now, that data is not very good.

"We need better information on attacks and better data. What statistics are out there are very poor," says Tyler Moore of the University of Cambridge, who presented a paper entitled Security Economics and European Policy at the workshop. "People have a bias to over or underreport, and some of the victims may not know the cause of their compromise," he said.

About Behind the Firewall: In his column, Executive Editor Dennis Fisher sounds off on the latest issues affecting the information security community.  Recent columns: Like MLB scouts, IT security pros are turning to metrics Hannaford breach illustrates dangerous compliance mentality Shrewd attackers bypass old security defenses with Web attacks Security measures pose risk of government control of cyberspace

Moore and his co-authors focused on issues facing the European Union, but many of their recommendations would be just as welcome in the United States. Specifically, the time has come for the Congress to set aside petty arguments and pass a comprehensive national data breach disclosure law. The vast majority of states have passed such laws in the last five years, and the result is a confusing patchwork of regulations with any number of different thresholds for disclosure, numerous exceptions and safe harbors for encrypted data, and dozens of definitions of what constitutes personal or confidential data. The state laws have served several purposes, most importantly in bringing the epidemic of data thefts to light. But they have sown plenty of confusion as well, and an overarching federal disclosure law could go a long way toward clearing up that confusion.

The debate over a federal law is sure to be loud and contentious, with plenty of misinformation and posturing from all sides. And, like many federal laws, would likely end up being a watered down measure that satisfies almost no one. But the scope of the problem demands attention on a national scale, and any national law must include strong sanctions for organizations that fail to report breaches. There are plenty of stories out there these days of companies that have found creative ways of interpreting the state disclosure laws in order to avoid public embarrassment. People will always find ways around rules they find inconvenient, but Congress should ensure that companies that choose this route will find a hefty fine, at minimum, at the end of the road.

To go along with a federal law, the next president should establish a central repository to collect and disseminate data on breaches, thefts and other relevant attacks. The Federal Trade Commission serves this purpose to a limited extent right now, by collecting and publishing numbers on identity theft, but that's just a small part of the picture. We need an independent authority to which all government agencies and independent businesses must report qualifying data breaches and other compromises of confidential information. And -- here's the kicker -- those reports must include specific details of the compromise, as best it can be worked out. Those reports can then be collected, analyzed, stripped of any identifying details and published.

What better way for companies to identify the weak points of their own strategies than to see what's working and what isn't for their peers? This was the original mission of the Information Sharing and Analysis Centers (ISAC), but the data generated by each ISAC is generally restricted to its members. We need a national, cross-industry center that can serve this purpose and provide anonymized data on attacks and thefts. Without it, we'll simply keep stumbling along the same path we're on now, without any sense of why we're heading in one direction instead of another.

Tags: Vulnerability Risk Assessment,  Identity Theft and Data Security Breaches,  Enterprise Risk Management: Metrics and Assessments,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Vulnerability Risk Assessment Screencast: How to launch an OpenVAS scan Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat Newest malware threats Are Web application penetration tests still important? PCI compliance requirement 6: Systems and applications Cybercrime and threat management McAfee to acquire Solidcore Systems for whitelisting Vulnerability Risk Assessment Research Identity Theft and Data Security Breaches Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Enterprise Risk Management: Metrics and Assessments How to justify information security spending on cloud computing Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management Enterprise Risk Management: Metrics and Assessments Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary